Google today announced that the Chrome security (HTTPS) pages will gradually download secure files. It begins blocking “mixed content downloads” in a series of steps outlined below (non-HTTPS downloads started on secure pages). This move is part of a plan which announced last year that all unsecure resources will be blocked on protected pages.
Files that are unsecurely downloaded are a security and privacy risk to the user. For example, unsafely downloaded programs could be swapped by attackers for malware, and eavesdroppers can read bank statements of users who have been unsecurely downloaded.
Google Chrome plans to implement mixed content download limitation first on desktop platforms (Windows, macOS, Chrome OS and Linux). The Desktop Platform Plan is as follows:
- In Chrome 81 (released March 2020) and later:
- Chrome will print a console message warning about all mixed content downloads.
- In Chrome 82 (released April 2020):
- Chrome will warn on mixed content downloads of executables (e.g. .exe).
- In Chrome 83 (released June 2020):
- Chrome will block mixed content executables.
- Chrome will warn on mixed content archives (.zip) and disk images (.iso).
- In Chrome 84 (released August 2020):
- Chrome will block mixed content executables, archives and disk images.
- Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
- In Chrome 85 (released September 2020):
- Chrome will warn on mixed content downloads of images, audio, video, and text.
- Chrome will block all other mixed content downloads.
- In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
For Android and iOS users Chrome will postpone the rollout by just one update, beginning with Chrome 83 Warnings. Mobile platforms have better native protection from malicious files, so that developers start up with the upgrade of their websites before mobile users get involved.
Developers can prevent users from seeing warnings for downloads by making sure downloads use HTTPS only. In the current Chrome Canary version, or in the Chrome 81 version, developers may enable “Treat risky downloads over insecure connections as active mixed content” flags on chrome:/flags/#treat-unsafe-downloads-as-active content to trigger a warning of all mixed content downloads.
Enterprise and educational clients can prevent blocking per site by inserting a pattern matching the page to which the download is sought through the current InsecureContentAllowedForUrls policy.